CVE-2021-30141
Description
Friendica through 2021.01 allows unauthenticated access to the settings/userexport route, leading to a denial of service via memory exhaustion.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Friendica through 2021.01 allows unauthenticated access to the `settings/userexport` route, leading to a denial of service via memory exhaustion.
Vulnerability
In Friendica versions through 2021.01, the Module/Settings/UserExport.php endpoint is accessible without authentication, contrary to its intended restriction to logged-in users [1][2]. The route settings/userexport does not check for a valid user session before attempting to process an export request, causing a PHP notice when trying to access an array offset on a null value (Trying to access array offset on value of type null in UserExport.php on line 93) and subsequently triggering a fatal error when the system exhausts the allowed memory (e.g., Allowed memory size of 218103808 bytes exhausted in Database.php) [2].
Exploitation
An anonymous attacker can simply navigate to the settings/userexport URL in a browser or via an HTTP request without any authentication cookie. No user interaction or special network position is required beyond basic HTTP access to the Friendica instance [2]. The server will attempt to handle the request, resulting in the memory exhaustion condition.
Impact
Successful exploitation leads to a denial of service (DoS) due to memory exhaustion, rendering the Friendica instance unresponsive or crashing the PHP process. While the vendor notes that the feature still requires a valid authentication cookie for actual data export, the unauthenticated route itself triggers fatal memory allocation errors, impacting availability [1][2]. No data disclosure or privilege escalation is achieved.
Mitigation
The vulnerability was fixed in commit acbcc56754121ba080eac5b6fdf69e64ed7fe453 which adds a check for local_user() at the beginning of the content() method and throws an HTTPException if the user is not authenticated, thus preventing anonymous access [1]. The fix was included in Friendica version 2021.04 and later. Users should update to at least that version. No workaround is provided for unpatched versions.
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Friendica/Friendicadescription
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing authentication check in UserExport module allows anonymous users to access user data export functionality."
Attack vector
An anonymous attacker can access the `/settings/userexport` route without a valid session. The `content()` method previously had no authentication guard, so calling this route would trigger data export logic. Because `local_user()` returns `null` for unauthenticated users, the code attempts to use `null` as a user ID in database queries, causing an "array offset on a value of type null" PHP error and potentially excessive memory consumption as the system tries to process queries with an invalid user context [ref_id=1].
Affected code
The vulnerability is in `Module/Settings/UserExport.php` in the Friendica codebase. The `content()` and `rawContent()` static methods lacked authentication checks before the patch, allowing unauthenticated access to user data export functionality. The `exportAccount()`, `exportAll()`, and `exportContactsAsCSV()` methods also accepted an `App` object instead of a user ID, which prevented proper user context validation.
What the fix does
The patch adds an authentication check at the beginning of both `content()` and `rawContent()` methods: `if (!local_user()) { throw new HTTPException\ForbiddenException(...); }`. This ensures that only authenticated users can access the export functionality. Additionally, the patch changes the signatures of `exportAccount()`, `exportAll()`, and `exportContactsAsCSV()` to accept an `int $user_id` parameter instead of an `App` object, and adds a `if (!$user_id) { throw new \RuntimeException(...); }` guard in each. All internal calls to `local_user()` are replaced with the passed `$user_id`, ensuring the exported data belongs to the authenticated user [ref_id=1].
Preconditions
- networkThe attacker must be able to send HTTP requests to the Friendica instance.
- authNo authentication or session cookie is required (the route is accessible to non-logged users).
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
2- github.com/friendica/friendica/issues/10110mitrex_refsource_MISC
- github.com/friendica/friendica/pull/10113/commits/acbcc56754121ba080eac5b6fdf69e64ed7fe453mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.